Social Security numbers are arguably the most often abused and costly bit of personal information identity thieves like to snatch. And snatch they do with increasing ease and frequency from all manner or transactions and databases.
For example the Government Accountability Office in October issued a report that said among other things that 85% of large counties and 41% of small counties in the US make records that may contain SSNs generally available in bulk or online. On top of that, many record keepers do not or cannot restrict the types of entities that can obtain public records and may not know how records are being used.
Enter the Federal Trade Commission which today issued a report outlining a plan of attack to help stop the abuse of SSNs. The report urges Congress to strengthen the procedures that private-sector organizations use to authenticate their customers' identities. The FTC report states that adopting nationwide standards for how businesses and other organizations verify the identity of new and existing customers would make it harder for identity thieves to use SSNs and other stolen information to consummate fraud.
Specifically the agency laid out its top five recommendations to stop SSN-based crime:
1. Improve Consumer Authentication: Require all private sector entities that maintain consumer accounts to establish appropriate, risk-based consumer authentication programs could reduce the misuse of consumer data and the prevalence of identity theft. The FTC recommends that Congress consider establishing national consumer authentication standards covering all private sector entities that maintain consumer accounts other than financial institutions subject to the jurisdiction of the bank regulatory agencies, which already are subject to such requirements. These standards, which should be consistent with those covering financial institutions, should require private sector entities to create a written program that establishes reasonable procedures to authenticate new or existing customers. This approach, which should be fleshed out through agency rulemaking, should be technology-neutral and provide flexibility to private sector entities to implement a program that is compatible with their size, the nature of their business, and the specific authentication risks they face, the FTC said. Finally, the standard should be one of reasonableness and not perfection, acknowledging that there is no fool-proof method of authenticating consumers and no likelihood that one will be developed in the foreseeable future, the FTC said.
2. Restrict the Public Display and the Transmission of SSNs: Restricting the display of SSNs on publicly-available documents and identification cards, and limiting the circumstances and means by which they can be transmitted, would make it more difficult for thieves to obtain SSNs, without hindering their use for legitimate identification and data matching purposes. The Commission recommends that Congress consider creating national standards for the public display and the transmission of SSNs. Federal legislation would establish a nationwide approach to reducing unnecessary display and transmission of SSNs, while addressing concerns about a patchwork of state laws with varying requirements. National standards should prohibit private sector entities from unnecessarily exposing SSNs. The precise standards should include, for example, prohibitions against: publicly posting or displaying SSNs; placing SSNs on cards or documents required for an individual to access products or services provided by a covered entity, including student ID cards, employee ID cards, and insurance cards; transmitting (or requiring an individual to transmit) an SSN over the Internet, unless the connection is secure from unauthorized access or other technologies that render the data generally unreadable; printing an individual's SSN in materials mailed to the individual; and printing an individual's SSN on the outside of an envelope or other mailer, or in a location that is visible without opening the envelope or mailer.
3. Establish National Standards for Data Protection and Breach Notification: The Commission also reiterates its support of its prior recommendation that Congress consider establishing national data breach notification standards requiring private sector entities to provide public notice when the entity suffers a breach of consumers' personal information and the breach creates a significant risk of identity theft or other harms. These standards would also be implemented in rulemaking by appropriate federal agencies. Most states now have breach notification laws, but currently there is no across-the-board federal requirement, the FTC said. In addition to alerting affected consumers to protect themselves, these laws have had the indirect benefit of motivating companies to weigh their need to collect SSNs against the potential cost and liability that may ensue if the SSNs are compromised.
4. Promote Coordination and Information Sharing on Use of SSNs: The Commission recommends that appropriate governmental entities explore helping private sector organizations establish a clearinghouse of best practices, enabling those organizations to share approaches and technologies on SSN usage and protection, fraud prevention, and consumer authentication. Many private sector entities, from large multi-nationals and universities to small businesses and health care systems, have described the difficulties and expense of removing SSNs from computer systems and files, as well as the challenges of keeping up with the sophisticated and changing methods of identity thieves.
5. Conduct Outreach to Businesses and Consumers: The FTC recommends increasing education and guidance efforts to help reduce the role of SSNs in facilitating identity theft. Over the past several years, the Commission and other Task Force agencies (including the Social Security Administration, the Department of Health and Human Services, and the US Postal Inspection Service) have conducted extensive outreach, both to businesses and consumers, on identity theft prevention and recovery, data protection, and safe computing. The Commission anticipates disseminating additional information to businesses on what they can do to reduce their use of SSNs and to safeguard SSNs when they are used. This guidance would ultimately include information regarding any national standards Congress creates for authentication, SSN display and transmission, data protection, and breach notification.
It's not that the government isn't paying attention to the SSN issue. Several bills are pending in Congress that would limit the display or sale of SSNs to the public or to private entities.
For example, S. 238 generally prohibits the display or purchase of SSNs without the express consent of the SSN holder; contains an exception for certain public records. H.R. 948 would make it unlawful for any person to sell or purchase SSNs in a manner violating regulations to be promulgated by SSA. Then H.R. 3046 would restrict the sale and display of SSNs to the general public by government entities; however it does not specifically address SSNs in public records but does require the Social Security Administration to develop uniform truncation standards. Finally S. 2915 would prohibits display of SSNs to the general public on the Internet by state and local governments unless truncation standards to be set by SSA in accordance with certain guidelines are met; considers certain unencrypted transmittals of SSNs through the Internet to be a public display.
Layer 8 in a box
Check out these other hot topics
Google, X PRIZE add 3 teams to $30 million moon race
National Science Foundation commands artificial intelligence revolution
US bankruptcies hit staggering 1million for 2008
Watchdog report rips government wireless network effort
Ducks, dorks and deviants: Wackiest stories of 2008
All the World's a stage: Layer 8's Top 10 of 2007
FTC kills scareware operation that duped over a million users
EPA Web site targets Most Wanted Environmental Fugitives
DARPA targets ultimate artificial intelligence wizard
Sony hit with $1 million penalty over underage online privacy violations